Design question
I am wanting to use SCCM primarily for
maintenance windows to deploy security updates to our internal and dmz servers. What is the best way in setting this up cost effectively? One server should be sufficient as we do not have more than 1000 servers. I would like to place the
server on the internal network and open up the relevant ports so the DMZ servers can communicate with it. The SCCM server will solely be used for deploying windows patches, there is no plan to deploy software or use any of the other features.
I'd be grateful for any advice, thanks.
September 30th, 2010 11:40am
Hi,
For DMZ I normally have a primary site server in the DMZ configured as a child site to my "internal" central site server. You will be able to service DMZ clients from an internal site server, it does however require that you open the ports specified in this
article - http://technet.microsoft.com/en-us/library/bb632618.aspxKent Agerlund | http://scug.dk/members/Agerlund/default.aspx | The Danish community for System Center products
Free Windows Admin Tool Kit Click here and download it now
September 30th, 2010 12:08pm
Thanks, it is possible to have one server on the internal lan and open ports so the dmz clients can communicate with it, isn't it?
If I went with your suggestion of putting a primary site server in the DMZ would this require it's own SQL installation and WSUS installation?
thanks.
September 30th, 2010 12:35pm
Hi,
1) Yes it is possible
2) Yes a primary site will require a SQL and WSUSKent Agerlund | http://scug.dk/members/Agerlund/default.aspx | The Danish community for System Center products
Free Windows Admin Tool Kit Click here and download it now
September 30th, 2010 12:44pm
Thanks again,
What are the drawbacks of option 1? and what ports would be needed to implement this?
September 30th, 2010 12:52pm
So the Central site server and the primary site child server will each have their own SCCM db, and both have their own individual WSUS db?
What are the pro' and con's for both scenarios please?
thanks.
Free Windows Admin Tool Kit Click here and download it now
September 30th, 2010 1:02pm
Ports are described here -
http://technet.microsoft.com/en-us/library/bb632618.aspx
Pros for having two seperate sites are that only site servers communincate with each other, makes it more firewall friendly.Kent Agerlund | http://scug.dk/members/Agerlund/default.aspx | The Danish community for System Center products
September 30th, 2010 1:10pm
Cheers, how would a dedicated central site server work in a DMZ? Will it work? there is no Active Directory provision in the DMZ.
Could do with the pro's and con's of scenario 1 as well please.
thanks.
Free Windows Admin Tool Kit Click here and download it now
September 30th, 2010 1:12pm
Hi,
ConfigMgr requires AD, so it will not work in the DMZ if there is no AD.Kent Agerlund | My blogs: http://blog.coretech.dk/author/kea/ and http://scug.dk/ | Twitter @Agerlund | Linkedin: /kentagerlund
December 19th, 2010 12:43pm